Monday, June 30, 2014

Microsoft's Digital Crimes Unit is claiming their 10th major botnet action, this time targeting the malware known as Bladabindi, or more popularly
njRAT, and Jenxcus, better known as H-worm. To do so, Microsoft filed a lawsuit in Nevada against three parties:

Naser Al Mutairi, a Kuwait City resident known to be the author of njRAT through his varias aliases, njq8, xnjq8x, njq8x, and njrat

Mohamed Benabdellah, an Algerian living in or near Mila, Algeria, who uses the aliases Houdini, houdinisc, and houdini-fx

The lawsuit is also filed against "John Does 1-500" who are supposedly the 500 priniciple operators of njRAT and H-Worm malware. (H-Worm is a closely
related RAT software, likely based off the same source code). Because they do not yet know the identities of these RAT operators, the are assigned "John
Doe" aliases, in hopes that the power of discovery granted by the lawsuit can help to reveal their true identities.

On the other side of this Internet battle is Vitalwerks and their literally millions of service users. Vitalwerks provides the capability to host an
Internet service despite the fact that your computer may be using DHCP-assigned IP address. Normally a webserver has to have a permanently assigned IP address
which is listed by a DNS service so that computers on the Internet can find the service you are offering. With Dynamic DNS services, your computer can link to
the service and constantly update its IP address so that even if your IP changes many times per day, your service users can find you. In Microsoft's lawsuit, they
agree that "Dynamic DNS is a vital part of the Internet because it allows anyone to have a domain name even though they have a changing IP address." Their accusation
is found in the next sentence, "However, if not properly managed, a Dynamic DNS service can be susceptible to abuse."

The lawsuit points out that in April 2013, OpenDNS published an article online detailing its investigation into Dynamic DNS abuse. In that study,On the Trail of Malicious Dynamic DNS Domains by my friend Dhia Mahjoub, OpenDNS collected resolutions of various Dynamic DNS domains, and concluded
that during their study some domains, such as "hopto.org" were used for malicious purposes as often as 56% of the time! Other highly malicious URLs included:

The lawsuit also discusses Symantec reporting about the malware being used on no-ip. One such Symantec report is: Simple njRAT fueld nascent middle east Cybercrime Scene. (Microsoft doesn't really mention that basically NOBODY calls the malware Bladabindi except Microsoft. Just call it njRAT like everyone else, please!) In that report, from March 2014, Symantec mentions one particular group that infects as many as 4500 computers per day using their C&C Servers at njratmoony.no-ip.biz and nrj.no-ip.biz.

This blogger confirmed the complaint firsthand that is made by No-IP themselves. Although Microsoft was supposedly going to ensure that "legitimate" no-ip customers were not impacted, for a significant part of the day on June 30, 2014, large portions of the Internet (including three linux servers that this blogger uses on three separate networks) had no idea how to find the no-ip domains. The nameservers were not propagated in such a way that the changes were seamless. No-IP's Formal Statement on Microsoft Takedown can be found on their website. In that statement, No-IP claims that "billions of queries" from "millions of innocent users" were dropped "because of Microsoft's attempt to remediate hostnames associated with a few bad actors" and implies that Microsoft did not dedicate enough resources to handle the traffic.

The primary purpose of the court orders was in fact to allow Microsoft to take matters into their own hands and filter the traffic for 130 pages worth (more than 18,000 3LDs) that were hosted by NO-IP and were associated with criminal activity and malware, primarily related to the two RATs, njRAT and H-Worm.

Of course on the other side of that is the fact that Microsoft documents that in the past twelve months MORE THAN SEVEN MILLION WINDOWS USERS were impacted by malware hosted on NO-IP domains! If someone's infrastructure is routinely abused to harm seven million of your customers, don't you have a right to do something about it? While NO-IP can claim that they have an active abuse desk that deals with these complaints, dozens of criminal tutorials would not recommend that you host your malware by setting up a NO-IP address, many of which have lived on consistent names for MANY MONTHS (as in the names mentioned in the above Symantec link) unless there was a clear pattern of NOT terminating offending 3LD (third level domains).

Cisco's fabulous cybercrime fighter, Levi Gundert, who I first worked with while he was working on the LA Electronic Crimes Task Force, as one of the most effective U.S. Secret Service cybercrime agents, and who later worked for Team Cymru, recently wrote a piece for Cisco's blog on Dynamic Detection of Malicious DDNS. Levi says that Free DDNS services "check all of the necessary attack boxes" that make the service desirable for criminals. As he explains:

Free DDNS services, by comparison, check all of the necessary attack boxes. Sub-domains can be quickly and easily generated and DNS records are trivially changed. For the remote access Trojan (RAT) crowd that are typically attempting to spy on female victims and running servers from home, DDNS is a natural fit. In fact, searching the web for tutorials on using freely available RATs like Black Shades, Dark Comet, or Poison Ivy returns results that all instruct RAT attackers to first create DDNS sub-domains in order to properly configure the RAT, specifically enabling a “back connect” to the attacker. Naturally, one segment of RAT users tend to be less technical, relying on tutorials and point and click interfaces to actually launch the RAT, which likely contributes significantly to the overall metrics of malicious DDNS use.

Levi provides this graph showing how often Cisco's Cloud Web Security blocks Dynamic DNS third level domains based on the reputation of that service in the following graph:

zapto.org, one of the NO-IP domains, is blocked 100% of the time by users of Cisco's Cloud Web Service. no-ip.info, no-ip.org, and no-ip.biz are also all blocked between 50% and 100% of the time based on reputation. Levi next goes on to show of all the DDNS base domains, "what do the corresponding malware numbers look like for the DDNS domains most abused by threat actors?"

Even after such widespread and published reports of NO-IP being used for malware abuse, Microsoft observed no significant change in their abuse practices, based on the malware analysis they performed. Following the February 2014 Cisco report, Microsoft "continues to see 2,000-3,000 new unique malware samples per month that are supported by No-IP."

But that doesn't mean No-IP is not responsive. Brian Krebs reported on this conflict in his article today Microsoft Darkens 4mm Sites in Malware Fight where he quotes No-IP's Natalie Gogun as saying that of the 18,000 sites mentioned in the Temporary Restraining Order, only about 2,000 of them were actually still live. Krebs quotes Crowdstrike's Dmitri Alperovitch mentioning that No-IP has always been very responsive, and I've seen the same. In fact, immediately following the Cisco blog above, a member of the No-IP security team was observed by this blogged on a security researcher mailing list asking if anyone could help him get the full list so he could make sure they killed all of the domain names mentioned. (Hi, Kurt!)

The problem here may be the nature of the malware used on these sites. While the security community regular sees and reports on financial crimes malware, such as Zeus, or malware that has significant and widespread distribution, in most cases njRat no-ip domains are being used by small-time botmasters to allow themselves to spy on a few dozen webcams. In fact, a review of more than 1800 recent URLs associated with delivering financial crimes malware observed by Malcovery Security's T3 product, NONE of the No-IP domains were seen to be used. Financial crime malware does not seem to be heavily associated with No-IP. While njRat certainly has the capability to be used for more significant crimes (including installing any additional malware desired by the criminals, and famously being used by the Syrian government to spy on the rebels) its primary reputation is as a tool for online perverts. Their typical victims tend to lack the Internet-savvy that allows corporate, industry, and government malware victims to report malware victimization to No-IP to receive a response. Sophisticated financial crimes malware criminals are very unlikely to link their malware back to dynamic DNS hosts that they personally control and are much more likely to use "more permanent" hosting in the form of hacked or leased servers.

The Microsoft complaint mentions YouTube, and we were able to quickly find many similar njRAT tutorials. There were also njRAT groups hosted on Facebook where botmasters were openly trading photographs of victims and offering to "trade slaves" (as they refer to the pretty girls whose webcams they control.) We reported three such groups to Facebook Security who took quick action to kill the groups which had a combined membership of more than 16,000 users!

Some examples of these creeps work might help illustrate the type of crimes committed by the typical njRat botmaster:

I can't really take sides on this one. Do we need to do something more to help the victims of this kind of malware? Absolutely. Was it necessary to seize 22 domains at No-IP? I can't argue with Microsoft wanting to prevent infections to more than 7 million Windows victims, but I certainly can understand the great frustration experienced by the No-IP folks.

Thursday, June 05, 2014

What is this graphic about? Read on, Gentle Reader!

Malcovery: Email Based Threat Intelligence and GameOver Zeus

At Malcovery Security we have become EXTREMELY familiar with GameOver Zeus. Our malware analysts create multiple reports each day documenting the top Email-based threats, and as the FBI's news releases (covered earlier this week in this blog, see Is it GameOver for GameOver Zeus? document, the criminals behind GameOver Zeus have been devastatingly thorough in compromising computers. Unlike some sandboxes, when Malcovery reports on a piece of malware, we actually report on "the activity that would result on a computer compromised by this malware" in a holistic view that we call Contextual Analysis. The goal of Malware Contextual Analysis is to help answer questions like:

How would one of my users likely be infected by this malware?

What email subjects or messages may have sent this malware?

Did that spam campaign deliver other malicious attachment or malicious URLs?

If one of my users were compromised by this malware, what network activity may result?

What additional malicious files might be downloaded by a computer compromised with this malware?

. . . and other questions, depending on the nature of the malware

Malcovery's main Malware Threat Intelligence analyst, Brendan Griffin, has shared a special report called The Many Faces of GameOver Zeus that examines many of the ways the malware has been delivered via spam campaigns. In this blog post, I'll be focusing on the Prominent IP addresses associated with the "Encrypted Drop" version of GameOver Zeus distribution.

GameOver Zeus's Encrypted Drop Sites

Back in February, Malcovery reported that GameOver Zeus was being prominently loaded by means of UPATRE malware downloading an Encrypted file from the Internet, and then executing that file. (See our post: GameOver Zeus Now Uses Encryption to Bypass Perimeter Security) With GameOver Zeus possibly taking a significant hit due to the coordinated law enforcement and researcher efforts, I wanted to look at the network infrastructure that we have been warning about in our T3 reports, and just illustrate how the T3 reports can be used to alert you to activity not just from the current day's malware, but for malware that touches any part of the extensive shared infrastructure of GameOver Zeus.

Since that initial post, we've seen GameOver Zeus-related encrypted files drop from more than 200 different internet locations, get decrypted by the Dropper malware, and execute themselves to begin communicating with the Peer to Peer GameOver Zeus infrastructure. The full list of many of those URLs, with the date on which we saw the spam campaign, the brand, item or company being imitated in that spam campaign, and the URLs where the GOZ binary were accessed, is available at the end of this article. Here is a sampling of some of the most recent ones for now to help understand the process...

For each of the campaigns above, Brendan, Wayne, and J, our malware analysis team, pushed out both an XML and STIX version of the machine readable T3 reports so that our customers could update themselves with information about the spam campaign, the IP addresses that sent that spam to us, the hashes of the spam attachment, the hostile URLs, and the IP addresses associated not only with the GameOver Zeus traffic, but whatever other malware was dropped in the same campaign. As the FBI indicated, it was extremely common for GameOver Zeus infected computers to ALSO become infected with CryptoLocker.

T3: Protection for Today and Tomorrow

But how often did we see "re-use" of network infrastructure? We like to say that Malcovery's T3 report, which stands for Today's Top Threat, is really "T3: Protection for Today and Tomorrow". To illustrate this, I did some data mining in Malcovery's Threat Intelligence database.

First - I isolated network activity for the 92 distinct spam campaigns illustrated above. (There were many more GameOver Zeus campaigns than that, but I was sticking to those samples that used the "encrypted file decrypted by the dropper" version that I had written about in February, so this is a sampling ...)

For each IP address that showed up in network traffic within those 92 campaigns, ranging from February 6, 2014 to May 30, 2014, I counted how many distinct campaigns that indicator had been seen in. Fifty-six IP addresses showed up in ten or more of those campaigns.

I took those IP addresses, and asked the Malcovery Threat Intelligence Database "which spam campaigns delivered malware that caused traffic to those IP addresses?" and was surprised to see not just the original 92 campaign I started with, but 360 distinct spam campaigns!! I culled that down by eliminating the campaigns that only touched ONE of those 56 IP addresses of high interest. The remaining 284 campaigns could be placed into 103 groups based on what they were imitating. Most of the top brands should be familiar to you from Malcovery's Top 10 Phished Brands That Your Anti-Virus is Missing report.

Brand Imitated in Spam

# of Campaigns Seen

Ring Central

30 campaigns

HMRC

15 campaigns

HSBC

13 campaigns

Royal Bank of Scotland

14 campaigns

NatWest

11 campaigns

eFax

11 campaigns

Sage

10 campaigns

Lloyds Bank

8 campaigns

UK Government Gateway

8 campaigns

Xerox

8 campaigns

ADP

6 campaigns

Companies House

6 campaigns

IRS

6 campaigns

New Fax

5 campaigns

Paypal

5 campaigns

Sky

5 campaigns

UPS

5 campaigns

Amazon

4 campaigns

Bank of America

4 campaigns

BT.com

4 campaigns

Microsoft

4 campaigns

QuickBooks

4 campaigns

Wells Fargo

4 campaigns

WhatsApp

4 campaigns

I threw the data into IBM's i2 Analyst Notebook, my favorite tool for getting a quick visualization of data, and did some arrangement to try to show the regionality of the data. I know the graph is too dense to see what is in the interior, but let me explain it here:

On the left are IP addresses that are owned by Microsoft. They are arranged by Netblock, with the size of the Computer icon representing how many malware campaigns that IP was linked to. Top to bottom numerically by Netblock, these are from the 23.96 / 23.98 / 137.116, 137.135, 138.91, 168.61, 168.63, 191.232 blocks. The Microsoft traffic only started appearing in late April, so it is possible this is traffic related to "sinkholing" or attempting to enumerate the botnet as part of the investigation. I have no insider knowledge of any such activity, just stating what we observed. We *DID* go back and look at the packet captures for these runs (we keep all of our PCAPs) and the traffic was exactly like the other Peer to Peer chatter for GameOver Zeus.

On the top are IP addresses in APNIC countries. Flag test: Japan, Hong Kong, China

On the right are IP addresses in ARIN countries. (Canada, USA)

In the bottom right corner is one LACNIC IP. (Venezuela)

And on the bottom are RIPE countries. (Netherlands, Moldova, Switzerland, Great Britain, Ukraine, Sweden, Belgium, France, and Austria)

The IP addresses on the chart above are also included here in tabular form:

Monday, June 02, 2014

Several weeks ago law enforcement friends in Pittsburgh started asking people not to publish anything too public about GameOver Zeus. When we asked why, we got a teasing "You'll see!" Now our ISP friends that were participating in the effort are grinning ear to ear as we may actually have a chance to disrupt Zeus in a meaningful way. Being a legal geek, I was excited to have the documents published on the main Justice website today at www.justice.gov/opa/gameover-zeus.html.

The Complaint against Evgeniy Mikhailovich Bogachev aka Slavik, aka Pollingsoon was unsealed in court where the Pittsburgh FBI led the investigation into CryptoLocker and GameOver Zeus. In addition to Bogachev, charges are filed against several aliases of as-yet-unidentified hackers, "Temp Special", "Ded", Chingiz (aka Chingiz 911), and Mr.KyKyPyKy. The Complaint charges that "Together, GOZ and Cryptolocker have infected hundreds of thousands of computers around the world and have generated losses that exceed $100 million."

Some of the specific cases mentioned in the complaint include:

A composite materials company in the Western District of Pennsylvania which lost more than $198,000 from its bank account using credentials stolen by the Defendants through the use of GOZ; (The Pittsburgh Indictment shares more details, telling us this was Haysite Reinforced Plastics, whose PNC Bank account was fraudulently accessed and used to send their money to a Mule account in the name of Lynch Enterprises, LLC, at SunTrust Bank in Atlanta, Georgia, after they clicked on a NACHA email informing them their ACH payment had failed, in October 2011. They also transfered $175,756.91 to an account belonging to R&R Jewelers, and ATTEMPTED six additional transfers, all on October 20, 2011. The money in the SunTrust account was quickly moved on ($99,822 of it, anyway) to an HSBC account in London.)

An Indian tribe in Washington - $277,000

A corporation managing assisted living facilities in Pennsylvania - $190,800

A regional bank in Northern Florida - $7 Million

CryptoLocker is described separately as having "first emerged in mid-to-late 2013" and infected "more than 230,000 computers, including more than $120,000 in the United States.

Just between October 15, 2013 and December 18, 2013, we know that $27 million in ransom payments were made, just by tracking the ransom payments made using Bitcoin!

The charges in the criminal complaint are:

Count I: Wire fraud: 18 USC Section 1343 "Having devised a scheme or artifice to defraud and for obtaining money by means of false or fraudulent pretenses and transmitting and causing to be transmitted by means of wire communications in interstate and foreign commerce, writings, signs, and signals for the purpose of executing such scheme or artifice.

Count II: Bank Fraud: 18 USC Section 1344 "knowingly executing a scheme or artifice to defraud financial institutions insured by the FDIC and to obtain moneys under the custody and control of these institutions by means of false and fraudulent pretenses and representations.

Count III: Unauthorized interception of electronic communications: 18 USC Section 2511 "intentionally intercepting electronic communications, and intentionally using and endeavoring to use the contents of the electronic communications knowing that the information is obtained through the unauthorized interception of electronic communications."

all of which, according to 18 USC Section 1345(a) and (b) allows Injunctive Relief to prevent a continuing and substantial injury to the owners and legitimate users of the infected computers.

An FBI Pittsburgh cyber agent was the affiant in the 28 page Application for Temporary Restraining Order recounts that while the largest known single wire transfer was a $6.9 million wire, fraudulent wires in the amount of $1 million dollars were "very common." A single bank experienced 11 fraudulent wires, with six being for more than $950,000 and the largest being 2 million dollars!

The GOZ affidavit mentions a few email addresses, Bogachev uses as one email address, bollinger.evgeniy@yandex.ru, while Chingiz 911 uses charajiang16@gmail.com. Seeing the nickname "Ded" as one of the members of the gang, I can't help but recall "Ded Pixto" the nickname for Stanislav Avdeiko the Koobface malware author.

So how will this "takedown" actually work? First, some hard work by a couple genius malware reverse engineers at Dell Secure Works and CrowdStrike helped the Pittsburgh FBI agent to understand the current Command & Control infrastructure so it could be rendered harmless. The problem though, is that both GOZ and Cryptolocker have a built-in backup plan in the form of a Domain Generation Algorithm. The job of a DGA is to allow the botmaster to IN THE FUTURE reconnect to his bots using infrastructure that neither the bots nor the botmaster have even created yet. A formula is used to calculate a domain name based on a timestamp. So, if NONE of the hard-coded IP addresses are able to be reached, the bot will look up the current date and begin "guessing" domains that the criminal may have registered for use to update the bot with new hard-coded addresses. As a few examples, on July 1, 2014, CryptoLocker will try to connect to 1,000 domains, including:

1) directs four U.S. based internet domain Registries to block access to around 900 PAGES of domain names seemingly the "future" list of DGA-generated domain names for CryptoLocker and GOZ. The GameOver Zeus domains are listed in Appendix A while the CryptoLocker domains are listed in Appendix B. Because ICANN only has jurisdiction over the Generic TLDs, this approach doesn't work for the ".ru" domains. CryptoLocker also uses ".co.uk" domains, so one would hope that the British government has asked for a similar favor from their counterpart registries. The four Registries in the US were, VeriSign, Inc., representing .com and .net, Neustar, Inc., representing .biz, Affilias USA, Inc., representing .info, and Public Interest Registry, representing .org.

Appendix A actually contains 25,937 domains for Game Over Zeus, arranged in ten columns, with three columns of domains listed on pages 1-69, 70-138, 139-207, and then a single column on pages 208 to 276. Its actually seven columns of 2594 domains and three columns of 2593 domains or 25,937 domains for Game Over Zeus.

Appendix B has six columns on pp. 1-176, pp.177-352, and then six columns of various length from 353 to the end of the 704 page document, for a total of 130,421 domains for CryptoLocker.

Affilias, Neustar, Verisign, and Public Interest Registry are ordered to redirect all of those 156,000 or so domains to use the nameservers ns1.kratosdns.net and ns2.kratosdns.net, preventing the criminals from using those domains to re-establish control of their botnet.

2) directs the twenty largest ISPs in America to not allow access from their networks to the .RU domains that the DGA can make, as the .RU domains are not under ICANN control. The ISPs named here are:

Those ISPs are forbidden to allow traffic to the .ru domains listed in Appendix C.

3) To redirect all traffic intended for one of those domains to .gov controlled servers

and

4) to seek a Pen Register/Trap and Trace Order that would gather information about the nodes directed to those replacement boxes, and to share that information back to the ISPs and victims to help protect themselves. This "Dialing, Routing, Addressing, and Signaling" data (called DRAS in telephone-legalese) is to be turned over to the government so that attempts can be made to clean up these victims computers.